ResourcePermission

Defines the permission model for different types of resources in the system, establishing what operations are possible on each resource type and how permissions are inherited, delegated, and combined. This entity acts as a template that describes all possible permissions for resource categories like 'documents', 'databases', or 'apis', serving as the blueprint for access control decisions. It defines not just CRUD operations but complex, resource-specific actions like 'publish', 'archive', 'approve', or 'rollback'. Each resource type can have its own permission hierarchy where having 'manage' permission might automatically grant 'write' and 'read'. The entity specifies ownership models (who gets what permissions when creating a resource), inheritance rules (how folder permissions flow to files), and aggregation patterns (how multiple permissions combine). It handles resource lifecycle permissions, defining who can transition resources between states like draft → review → published. The entity also defines permission dependencies (you need 'read' to have 'write'), mutual exclusions (can't have both 'approve' and 'submit'), and contextual variations (different permissions in different environments). This is essential for building flexible yet consistent authorization across diverse resource types while maintaining principle of least privilege. It enables features like temporary access elevation, permission templates for common scenarios, and automated permission assignment based on resource characteristics.

32 properties
Schema

Properties

PropertyTypeModeDescriptionRequired
permissionIduuid
stored

Unique identifier for this resource permission

Required
resourceTypestring
stored

Type of resource this permission applies to

Example: "document"

Required
permissionCodestring
stored

Unique code for this permission

Example: "document.publish"

Required
permissionNamestring
stored

Human-readable permission name

Example: "Publish Document"

Required
descriptionstring
stored

Detailed explanation of what this permission allows

Example: "Allows publishing documents from draft to public state, making them visible to all authorized users"

Optional
operationstring
stored

The operation this permission enables

Example: "publish"

Required
categorystring
enum

Category of permission

Values: read, write, delete, manage, share, workflow, admin, system

Required
riskLevelstring
enum

Risk assessment of granting this permission

Values: low, medium, high, critical

Optional
scopestring
enum

Scope of the permission

Values: own, department, organization, global, delegated

Optional
impliedPermissionsstring
stored

JSON array of permissions automatically included

Example: "[\"document.read\",\"document.download\"]"

Optional
requiredPermissionsstring
stored

JSON array of prerequisite permissions

Example: "[\"document.read\",\"document.write\"]"

Optional
conflictingPermissionsstring
stored

JSON array of mutually exclusive permissions

Example: "[\"document.archive\",\"document.delete\"]"

Optional
parentPermissionResourcePermission
stored

Parent permission in hierarchy

Optional
isInheritableboolean
stored

Whether child resources inherit this permission

Optional
isDelegatableboolean
stored

Whether holders can delegate this permission

Optional
isTransferableboolean
stored

Whether permission can be transferred between users

Optional
requiresMfaboolean
stored

Whether MFA is required to use this permission

Optional
requiresApprovalboolean
stored

Whether using this permission needs approval

Optional
approvalConfigstring
stored

JSON configuration for approval workflow

Optional
auditLevelstring
enum

Required audit level when permission is used

Values: none, basic, detailed, full

Optional
validStatesstring
stored

JSON array of resource states where permission applies

Example: "[\"draft\",\"review\",\"approved\"]"

Optional
fieldLevelboolean
stored

Whether permission can be applied at field level

Optional
defaultOwnerGrantboolean
stored

Whether resource owners get this permission by default

Optional
defaultCreatorGrantboolean
stored

Whether resource creators get this permission by default

Optional
maxDelegationDepthinteger
stored

Maximum delegation chain length

Optional
timeRestrictionsstring
stored

JSON time-based restrictions

Optional
usageQuotainteger
stored

Maximum uses per time period

Optional
quotaPeriodstring
stored

Time period for usage quota

Optional
isActiveboolean
stored

Whether this permission is currently available

Optional
isSystemboolean
stored

Whether this is a system-defined permission

Optional
createdAtDateTime
stored

When this permission was defined

Required
metadataobject
stored

Additional permission configuration

Optional

Examples

Example 1

{
  "@type": "ResourcePermission",
  "permissionId": "perm_doc_publish",
  "resourceType": "document",
  "permissionCode": "document.publish",
  "permissionName": "Publish Document",
  "description": "Allows changing document state from draft/review to published, making it visible to all users with read access",
  "operation": "publish",
  "category": "workflow",
  "riskLevel": "medium",
  "scope": "own",
  "impliedPermissions": "[\"document.read\",\"document.view_history\"]",
  "requiredPermissions": "[\"document.write\",\"document.review\"]",
  "conflictingPermissions": "[\"document.draft_only\"]",
  "isInheritable": false,
  "isDelegatable": true,
  "isTransferable": false,
  "requiresMfa": true,
  "requiresApproval": true,
  "approvalConfig": "{\"approvers\":[\"document_owner\",\"team_lead\"],\"timeout_hours\":48}",
  "auditLevel": "detailed",
  "validStates": "[\"review\",\"approved\"]",
  "fieldLevel": false,
  "defaultOwnerGrant": true,
  "defaultCreatorGrant": false,
  "maxDelegationDepth": 1,
  "timeRestrictions": "{\"allowed_hours\":\"09:00-18:00\",\"allowed_days\":[\"mon\",\"tue\",\"wed\",\"thu\",\"fri\"]}",
  "isActive": true,
  "isSystem": true,
  "createdAt": "2024-01-01T00:00:00Z",
  "metadata": {
    "workflow_step": "publish",
    "notification_required": true
  }
}

Example 2

{
  "@type": "ResourcePermission",
  "permissionId": "perm_db_export",
  "resourceType": "database",
  "permissionCode": "database.export",
  "permissionName": "Export Database",
  "description": "Allows exporting entire database contents including schema and data",
  "operation": "export",
  "category": "admin",
  "riskLevel": "critical",
  "scope": "organization",
  "impliedPermissions": "[\"database.read\",\"database.query\"]",
  "requiredPermissions": "[\"database.admin\"]",
  "conflictingPermissions": "[\"database.readonly\"]",
  "isInheritable": false,
  "isDelegatable": false,
  "isTransferable": false,
  "requiresMfa": true,
  "requiresApproval": true,
  "approvalConfig": "{\"approvers\":[\"dba\",\"security_team\"],\"timeout_hours\":24,\"emergency_bypass\":true}",
  "auditLevel": "full",
  "fieldLevel": false,
  "defaultOwnerGrant": false,
  "defaultCreatorGrant": false,
  "maxDelegationDepth": 0,
  "usageQuota": 5,
  "quotaPeriod": "month",
  "isActive": true,
  "isSystem": true,
  "createdAt": "2024-01-01T00:00:00Z",
  "metadata": {
    "compliance_check": "required",
    "data_classification": "sensitive"
  }
}